From 3aa9aed214131a4439abe19eedc95b57ede9e647 Mon Sep 17 00:00:00 2001
From: xuchenchen <xuchenchen@kylinos.cn>
Date: Mon, 29 Apr 2024 14:35:49 +0800
Subject: [PATCH] nscd: Avoid null pointer crashes after notfound response
 (CVE-2024-33600)

---
 0001-fix-CVE-2024-33600.patch | 93 +++++++++++++++++++++++++++++++++++
 glibc.spec                    |  6 ++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-CVE-2024-33600.patch

diff --git a/0001-fix-CVE-2024-33600.patch b/0001-fix-CVE-2024-33600.patch
new file mode 100644
index 0000000..cea93ed
--- /dev/null
+++ b/0001-fix-CVE-2024-33600.patch
@@ -0,0 +1,93 @@
+From b048a482f088e53144d26a61c390bed0210f49f2 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:01:07 +0200
+Subject: [PATCH] fix CVE-2024-33600
+
+The addgetnetgrentX call in addinnetgrX may have failed to produce
+a result, so the result variable in addinnetgrX can be NULL.
+Use db->negtimeout as the fallback value if there is no result data;
+the timeout is also overwritten below.
+
+Also avoid sending a second not-found response.  (The client
+disconnects after receiving the first response, so the data stream did
+not go out of sync even without this fix.)  It is still beneficial to
+add the negative response to the mapping, so that the client can get
+it from there in the future, instead of going through the socket.
+---
+ nscd/netgroupcache.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 06b7d7b6..9be33ab7 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+       /* No such service.  */
+       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
+ 			       &key_copy);
+-      goto writeout;
++      goto maybe_cache_add;
+     }
+ 
+   memset (&data, '\0', sizeof (data));
+@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+     {
+       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
+ 			       &key_copy);
+-      goto writeout;
++      goto maybe_cache_add;
+     }
+ 
+   total = buffilled;
+@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+   }
+ 
+   if (he == NULL && fd != -1)
+-    {
+-      /* We write the dataset before inserting it to the database
+-	 since while inserting this thread might block and so would
+-	 unnecessarily let the receiver wait.  */
+-    writeout:
++    /* We write the dataset before inserting it to the database since
++       while inserting this thread might block and so would
++       unnecessarily let the receiver wait.  */
+       writeall (fd, &dataset->resp, dataset->head.recsize);
+-    }
+ 
++ maybe_cache_add:
+   if (cacheable)
+     {
+       /* If necessary, we also propagate the data to disk.  */
+@@ -512,14 +510,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+ 
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
+ 		     sizeof (innetgroup_response_header),
+-		     he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
++		     he == NULL ? 0 : dh->nreloads + 1,
++		     result == NULL ? db->negtimeout : result->head.ttl);
+   /* Set the notfound status and timeout based on the result from
+      getnetgrent.  */
+-  dataset->head.notfound = result->head.notfound;
++  dataset->head.notfound = result == NULL || result->head.notfound;
+   dataset->head.timeout = timeout;
+ 
+   dataset->resp.version = NSCD_VERSION;
+-  dataset->resp.found = result->resp.found;
++  dataset->resp.found = result != NULL && result->resp.found;
+   /* Until we find a matching entry the result is 0.  */
+   dataset->resp.result = 0;
+ 
+@@ -567,7 +566,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+       goto out;
+     }
+ 
+-  if (he == NULL)
++  /* addgetnetgrentX may have already sent a notfound response.  Do
++     not send another one.  */
++  if (he == NULL && dataset->resp.found)
+     {
+       /* We write the dataset before inserting it to the database
+ 	 since while inserting this thread might block and so would
+-- 
+2.27.0
+
diff --git a/glibc.spec b/glibc.spec
index 45b706d..7d9c348 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	26
+Release: 	27
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -197,6 +197,7 @@ Patch9019: 0001-fix-glibc-build-error-on-x86.patch
 Patch9021: reserve-relocation-information-for-sysboost.patch
 %endif
 Patch9022: add-Wl-z-noseparate-code-for-so.patch
+Patch9023: 0001-fix-CVE-2024-33600.patch
 
 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
 
@@ -1393,6 +1394,9 @@ fi
 %endif
 
 %changelog
+* Mon Apr 29 2024 xuchenchen <xuchenchen@kylinos.cn> - 2.38-27
+- fix CVE-2024-33600
+
 * Tue Apr 23 2024 Yang Yanchao <yangyanchao6@huawei.com> - 2.38-26
 - iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
 
-- 
Gitee